RHEL 9 : jq (RHSA-2026:19365)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:19365 advisory. jq is a lightweight and flexible command-line JSON processor. jq is like sed for JSON data. You can use it to slice, filter, map, or...

@antv/dumi-theme-antv (>=0.3.0 <=0.8.4), @hjkl6/dumi-theme-antv (>=0.5.6 <=0.5.9) +3 more potentially affected by unknown CVE via uri-parse (=1.0.0)

uri-parse NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on uri-parse and may be impacted: - @antv/dumi-theme-antv =0.3.0, =0.5.6, =0.0.1, =0.1.1, =0.1.0, =0.1.1 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4157...

PT-2026-42043

Impact In deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to trigger a Denial of Service through resource exhaustion. Patches Versions 4.2.0 and up contain a configurable parse node...

Malicious code in uri-parse (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

CVE-2026-8836

A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmpparseinboundframe of the file src/apps/snmp/snmpmsg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be...

EUVD-2026-30793

A vulnerability was found in lwIP up to 2.2.1. Affected is the function snmpparseinboundframe of the file src/apps/snmp/snmpmsg.c of the component snmpv3 USM Handler. Performing a manipulation of the argument msgAuthenticationParameters results in stack-based buffer overflow. The attack may be...

NPM: parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names

NPM: parse-nested-form-data has Prototype Pollution via proto in FormData field names vulnerability discovered by ? in WordPress Npm parse-nested-form-data versions = 1.0.0...

GHSA-XP7R-J8R6-J9H3 parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names

Summary parseFormData walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with proto, or contains .proto. mid-path, causes the parser to traverse onto Object.prototype and assign properties...

Prototype Pollution

Overview parse-nested-form-data is an A tiny node module for parsing FormData by name into objects and arrays Affected versions of this package are vulnerable to Prototype Pollution via the parseFormData process. An attacker can modify the prototype of all plain objects in the running process by...

JLSEC-2026-510

In LibSass 3.5.5, a heap-based buffer over-read exists in Sass::Prelexer::skipoverscopes in prelexer.hpp when called from Sass::Parser::parseimport, a similar issue to CVE-2018-11693...

JLSEC-2026-507

LibSass before 3.6.3 allows a NULL pointer dereference in Sass::Parser::parseCompoundSelector in parserselectors.cpp...

jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers

A flaw was found in jq, a command line JSON processor, specifically in the libjq API. Parsing a malformed JSON input from a non-NUL-terminated buffer using the jvparsesized function can cause an out-of-bounds read, resulting in an application crash and a possible memory disclosure within the erro...

Important: Red Hat Security Advisory: jq security update

An update for jq is now available for Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is availabl...

jq: out-of-bounds read in jv_parse_sized() on error formatting for non-NUL-terminated buffers

A flaw was found in jq, a command line JSON processor, specifically in the libjq API. Parsing a malformed JSON input from a non-NUL-terminated buffer using the jvparsesized function can cause an out-of-bounds read, resulting in an application crash and a possible memory disclosure within the erro...

Malicious Package

Overview parse-regex-string is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious code in parse-escape-regex-string (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 41f2d6da130b64c53517f7be20b6f43e0fde62b07a805a2689d1baa4f8c30c1c The package parse-escape-regex-string was found to contain malicious code. Source: ghsa-malware...

Malicious code in parse-regex-string (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4d7619f0cfdbd6c6bd09c366186aa4b333ed935b4bc33580097d598b3fc8bd5b The package parse-regex-string was found to contain malicious code. Source: ghsa-malware...

MAL-2026-3823 Malicious code in parse-escape-regex-string (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 41f2d6da130b64c53517f7be20b6f43e0fde62b07a805a2689d1baa4f8c30c1c The package parse-escape-regex-string was found to contain malicious code. Source: ghsa-malware...

Malicious Package

Overview parse-escape-regex-string is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

MAL-2026-3824 Malicious code in parse-regex-string (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4d7619f0cfdbd6c6bd09c366186aa4b333ed935b4bc33580097d598b3fc8bd5b The package parse-regex-string was found to contain malicious code. Source: ghsa-malware...